Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Start publishing the cursed token on GitHub Pages #7

Merged
merged 1 commit into from
Oct 30, 2023

Conversation

jku
Copy link
Collaborator

@jku jku commented Oct 6, 2023

Start publishing the token on GitHub Pages (https://sigstore-conformance.github.io/extremely-dangerous-public-oidc-beacon/oidc-token.txt):

  • This makes it a lot easier to find, download and use the token
  • The old artifact upload is preserved so current scripts (so sigstore-conformance 0.7, 0.8) should keep working

Fixes #5.

Details:

  • All known sigstore-conformance users have updated to v0.8 or are using main: I believe this is safe to merge.
  • The GitHub Pages source is set to "Actions" in GH settings so this should start working right away. I can't see the environment settings but they should be correct by default (there should be a "github-pages" env and main branch should be allowed to deploy).
  • The legacy artifact upload that is currently preserved can be removed once sigstore-conformance uses the new token location and we've seen that it's reliable.
  • At that point I think the workflows in this project can be simplified significantly: the reason for the workflow dispatch dance is that published artifacts are not made available until the workflow finishes -- that limitation likely does not apply to Pages publishing (although it remains to be seen if GitHub is ok with publishing to Pages multiple times from the same workflow)

* This should makes it a lot easier to find, download and use
* The old upload is preserved so old scripts should keep working

As a result the latest token should always be available in
https://sigstore-conformance.github.io/extremely-dangerous-public-oidc-beacon/oidc-token.txt

Signed-off-by: Jussi Kukkonen <[email protected]>
@jku
Copy link
Collaborator Author

jku commented Oct 6, 2023

This is a draft until sigstore/sigstore-conformance#102 is merged

I suppose we should wait until there's a sigstore-conformance release and until the known users have upgraded as well.

@jku
Copy link
Collaborator Author

jku commented Oct 17, 2023

note to self: All conformance users have now upgraded (or are using main branch).

@jku jku marked this pull request as ready for review October 28, 2023 08:29
@jku jku requested a review from woodruffw October 28, 2023 08:30
@jku
Copy link
Collaborator Author

jku commented Oct 28, 2023

This bit in sigstore-conformance I'm not sure about:

_OIDC_BEACON_WORKFLOW_ID = 55399612

Does the workflow id stay the same? I expect that it does but I can't be sure.

@woodruffw woodruffw self-assigned this Oct 28, 2023
@woodruffw
Copy link
Collaborator

Does the workflow id stay the same? I expect that it does but I can't be sure.

I think it does, but we can confirm/update with https://docs.github.com/en/rest/actions/workflows?apiVersion=2022-11-28#get-a-workflow if it breaks after merging 🙂

Copy link
Collaborator

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I'd like @tetsuo-cpp or @tnytown to also take a brief look at this if either have time 🙂

@tnytown
Copy link
Contributor

tnytown commented Oct 30, 2023

In my experience, GitHub Pages sometimes takes a bit to propagate changes due to caching -- is this a concern w.r.t. the tokens, given their relatively short validity period?

Implementation LGTM!

@woodruffw
Copy link
Collaborator

In my experience, GitHub Pages sometimes takes a bit to propagate changes due to caching -- is this a concern w.r.t. the tokens, given their relatively short validity period?

Caching on the HTTP header side, or caching on the deployment side? I wouldn't be surprised if GHP serves HTTP caching headers, but we can always ignore those 🙂

@tnytown
Copy link
Contributor

tnytown commented Oct 30, 2023

Caching on the HTTP header side, or caching on the deployment side? I wouldn't be surprised if GHP serves HTTP caching headers, but we can always ignore those 🙂

IIRC the deployment side, it's been a while since I've had to worry about it. I've never experienced a delay of more than 5 minutes, but that may still impact the validity period of the tokens if the behavior is still present :(

@woodruffw
Copy link
Collaborator

Gotcha. I think we can go ahead and deploy this as-is; if we run into consistent issues, then we'll look into another publication mechanism or location.

@woodruffw woodruffw merged commit 8e87e29 into sigstore-conformance:main Oct 30, 2023
1 check passed
@woodruffw
Copy link
Collaborator

Appears to be working: https://sigstore-conformance.github.io/extremely-dangerous-public-oidc-beacon/oidc-token.txt

@jku jku deleted the publish-to-github-pages branch February 22, 2024 07:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

publish token to GH Pages?
3 participants